package com.tivoli.am.fim.demo.callerazn;

import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.auth.WSSubject;
import com.tivoli.am.fim.trustserver.sts.STSGroupMembership;
import com.tivoli.am.fim.trustserver.sts.STSMode;
import com.tivoli.am.fim.trustserver.sts.STSModule;
import com.tivoli.am.fim.trustserver.sts.STSModuleException;
import com.tivoli.am.fim.trustserver.sts.STSRequest;
import com.tivoli.am.fim.trustserver.sts.STSResponse;
import java.security.Principal;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;

/* loaded from: input_file:com/tivoli/am/fim/demo/callerazn/CallerAznSTSModule.class */
public class CallerAznSTSModule implements STSModule {
    static final String CLASS;
    static final String CONFIG_DEFAULT_POLICY = "callerazn.default.policy";
    static final String CONFIG_USER_LIST = "callerazn.user.list";
    static final String POLICY_UNAUTHENTICATED = "unauthenticated";
    static final String POLICY_ALLOW = "allow";
    static final String POLICY_DENY = "deny";
    static final String MSG_AZN_DENIED = "Authorization Denied";
    Logger _log = Logger.getLogger(CLASS);
    static Class class$0;

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v2, types: [java.lang.Throwable] */
    static {
        Class<?> cls = class$0;
        if (cls == null) {
            try {
                cls = Class.forName("com.tivoli.am.fim.demo.callerazn.CallerAznSTSModule");
                class$0 = cls;
            } catch (ClassNotFoundException unused) {
                throw new NoClassDefFoundError(cls.getMessage());
            }
        }
        CLASS = cls.getName();
    }

    public void destroy() throws STSModuleException {
    }

    public void init(Map map) throws STSModuleException {
    }

    public boolean invoke(STSMode sTSMode, STSRequest sTSRequest, STSResponse sTSResponse) throws STSModuleException {
        this._log.entering(CLASS, "invoke");
        try {
            if (STSMode.AUTHORIZE == sTSMode) {
                doAuthorize(sTSRequest, sTSResponse);
            }
            this._log.exiting(CLASS, "invoke");
            return true;
        } catch (Throwable th) {
            this._log.exiting(CLASS, "invoke");
            throw th;
        }
    }

    void doAuthorize(STSRequest sTSRequest, STSResponse sTSResponse) throws STSModuleException {
        Set<Principal> principals;
        this._log.entering(CLASS, "doMap");
        try {
            try {
                STSGroupMembership requestGroupMembership = sTSRequest.getRequestGroupMembership();
                String selfProperty = requestGroupMembership.getSelfProperty(CONFIG_DEFAULT_POLICY);
                String[] selfProperties = requestGroupMembership.getSelfProperties(CONFIG_USER_LIST);
                HashSet hashSet = new HashSet();
                if (selfProperties != null) {
                    for (String str : selfProperties) {
                        hashSet.add(str);
                    }
                }
                boolean isLoggable = this._log.isLoggable(Level.FINEST);
                if (isLoggable) {
                    StringBuffer stringBuffer = new StringBuffer();
                    stringBuffer.append("Policy: ");
                    stringBuffer.append(selfProperty);
                    stringBuffer.append(" User List: [");
                    if (selfProperties != null) {
                        for (int i = 0; i < selfProperties.length; i++) {
                            stringBuffer.append(selfProperties[i]);
                            if (i < selfProperties.length - 1) {
                                stringBuffer.append(",");
                            }
                        }
                    }
                    stringBuffer.append("]");
                    this._log.logp(Level.FINEST, CLASS, "doMap", stringBuffer.toString());
                }
                validateParams(selfProperty, selfProperties);
                if (!selfProperty.equals(POLICY_UNAUTHENTICATED)) {
                    String str2 = null;
                    Subject callerSubject = WSSubject.getCallerSubject();
                    if (callerSubject != null && (principals = callerSubject.getPrincipals()) != null) {
                        if (isLoggable) {
                            this._log.logp(Level.FINEST, CLASS, "doMap", new StringBuffer("Subject has ").append(principals.size()).append(" principals.").toString());
                        }
                        for (Principal principal : principals) {
                            if (principal != null) {
                                if (isLoggable) {
                                    this._log.logp(Level.FINEST, CLASS, "doMap", new StringBuffer("Principal name ").append(principal.getName()).toString());
                                }
                                str2 = principal.getName();
                            }
                        }
                    }
                    if (str2 == null) {
                        throw new STSModuleException("Unable to obtain username from WebSphere");
                    }
                    if (isLoggable) {
                        this._log.logp(Level.FINEST, CLASS, "doMap", new StringBuffer("Final principal name ").append(str2).toString());
                    }
                    if (selfProperty.equals(POLICY_ALLOW)) {
                        if (hashSet.contains(str2)) {
                            if (isLoggable) {
                                this._log.logp(Level.FINEST, CLASS, "doMap", new StringBuffer("Default policy is allow and user: ").append(str2).append(" in deny list, denying.").toString());
                            }
                            throw new STSModuleException(MSG_AZN_DENIED);
                        }
                        if (isLoggable) {
                            this._log.logp(Level.FINEST, CLASS, "doMap", new StringBuffer("Default policy is allow and user: ").append(str2).append(" not in deny list, allowing.").toString());
                        }
                    } else {
                        if (!hashSet.contains(str2)) {
                            if (isLoggable) {
                                this._log.logp(Level.FINEST, CLASS, "doMap", new StringBuffer("Default policy is deny and user: ").append(str2).append(" not in allow list, denying.").toString());
                            }
                            throw new STSModuleException(MSG_AZN_DENIED);
                        }
                        if (isLoggable) {
                            this._log.logp(Level.FINEST, CLASS, "doMap", new StringBuffer("Default policy is deny and user: ").append(str2).append(" in allow list, allowing.").toString());
                        }
                    }
                } else if (isLoggable) {
                    this._log.logp(Level.FINEST, CLASS, "doMap", "Policy is unauthenticated, nothing to do.");
                }
            } catch (WSSecurityException e) {
                throw new STSModuleException("WebSphere security error", e);
            }
        } finally {
            this._log.exiting(CLASS, "doMap");
        }
    }

    void validateParams(String str, String[] strArr) throws STSModuleException {
        if (str == null || !(str.equals(POLICY_UNAUTHENTICATED) || str.equals(POLICY_ALLOW) || str.equals(POLICY_DENY))) {
            throw new STSModuleException(new StringBuffer("Invalid policy configuration: ").append(str).toString());
        }
    }
}
